CVE-2020-10744

An incomplete fix was found for the fix of the flaw CVE-2020-1733 ansible: insecure temporary directory when running become_user from become directive. The provided fix is insufficient to prevent the race condition on systems using ACLs and FUSE filesystems. Ansible Engine 2.7.18, 2.8.12, and 2.9.9 as well as previous versions are affected and Ansible Tower 3.4.5, 3.5.6 and 3.6.4 as well as previous versions are affected.
Race Condition
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5 MEDIUM
LOCAL
HIGH
LOW
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L
redhatCNA
5 MEDIUM
LOCAL
HIGH
LOW
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 9%
VendorProductVersion
redhatansible
2.7.0 ≤
𝑥
≤ 2.7.18
redhatansible
2.8.0 ≤
𝑥
≤ 2.8.12
redhatansible
2.9.0 ≤
𝑥
≤ 2.9.9
redhatansible_tower
3.4.0 ≤
𝑥
≤ 3.4.5
redhatansible_tower
3.5.0 ≤
𝑥
≤ 3.5.6
redhatansible_tower
3.6.0 ≤
𝑥
≤ 3.6.4
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
ansible
bullseye
2.10.7+merged+base+2.10.17+dfsg-0+deb11u1
fixed
buster
not-affected
stretch
not-affected
bookworm
7.7.0+dfsg-3+deb12u1
fixed
sid
10.5.0+dfsg-2
fixed
trixie
10.5.0+dfsg-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
ansible
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
not-affected
jammy
not-affected
impish
not-affected
hirsute
ignored
groovy
ignored
focal
Fixed 2.9.6+dfsg-1ubuntu0.1~esm1
released
eoan
ignored
bionic
Fixed 2.5.1+dfsg-1ubuntu0.1+esm1
released
xenial
Fixed 2.0.0.2-2ubuntu1.3+esm1
released
trusty
needs-triage
Common Weakness Enumeration
References
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10744
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10744